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Preface 



This volume contains the proceedings of the 25th International Conference on 
Application and Theory of Petri Nets (ICATPN 2004). The aim of the Petri net 
conferences is to create a forum for discussing progress in the application and 
theory of Petri nets. 

Typically, the conferences have 100-150 participants, one third of these com- 
ing from industry, whereas the others are from universities and research institu- 
tions. The conferences always take place in the last week of June. 

The conference and a number of other activities are coordinated by a steer- 
ing committee with the following members: Wil van cler Aalst (The Nether- 
lands), Jonathan Billington (Australia), JrgDesel (Germany), Susanna Donatelli 
(Italy), Serge Haddad (France), Kurt Jensen (Denmark), Maciej Koutny (United 
Kingdom), Sadatoslri Kumagai (Japan), Giorgio De Michelis (Italy), Tadao Mu- 
rata (USA), Carl Adam Petri (Germany, Honorary Member), Wolfgang Reisig 
(Germany), Grzegorz Rozenberg (The Netherlands, Chairman) and Manuel Silva 
(Spain). 

The 2004 conference was organized by the Department of Computer Science 
of the University of Bologna, Italy. We would like to thank the organizing com- 
mittee, chaired by Roberto Gorrieri, for the effort invested in making the event 
successful. We are also grateful to the following sponsoring institutions and or- 
ganizations: Associazione Italiana per l’Informatica ed il Calcolo Automatico 
(AICA), Microsoft Research, and Network Project & Solutions (NPS Group). 

We received a total of 62 submissions from 26 different countries. The pro- 
gram committee finally selected 19 regular papers and 5 tool presentation papers. 
This volume comprises the papers that were accepted for presentation. Invited 
lectures were given by Gianfranco Ciardo, Roberto Gorrieri, Thomas A. Hen- 
zinger, Wojciech Penczek, Lucia Pomello and William H. Sanders. Their papers 
are also included in this volume. 

Several tutorials and workshops were also organized within the conference, 
covering introductory and advanced aspects related to Petri nets. Detailed in- 
formation can be found at the conference URL (www. cs .unibo . it/atpn2004). 

We would like to thank all those who submitted papers to the Petri net con- 
ference. We are grateful to the program committee members and the referees 
for their valuable effort in reviewing and selecting the papers. We gratefully ac- 
knowledge Andrei Voronkov (University of Manchester) for his technical support 
with the PC management tool. Finally, we would like to mention the excellent 
cooperation with Springer- Ver lag during the preparation of this volume. 



April 2004 



Jordi Cortadella and Wolfgang Reisig 
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Positive Non-interference 
in Elementary and Trace Nets 



Nadia Busi and Roberto Gorrieri 

Dipartimento di Scienze dell’Informazione, Universita di Bologna 
Mura A. Zamboni, 7, 40127 Bologna, Italy 



Abstract. Several notions of non-interference have been proposed in the 
literature to study the problem of confidentiality in concurrent systems. 
The common feature of these non-interference properties is that they are 
all defined as extensional properties based on some notion of behavioural 
equivalence on systems. Here we also address the problem of defining 
non-interference by looking at the structure of the net systems under 
investigation. We define structural non-interference properties based on 
the absence of particular places in the net. We characterize a structural 
property, called PBNI+, that is equivalent to the well-known behavioural 
property SBNDC. We start providing a characterization of PBNI + on 
contact-free Elementary Net Systems, then we extend the definition to 
cope with the richer class of Trace nets. 



1 Introduction 

Non-interference has been defined in the literature as an extensional property 
based on some observational semantics: the high part of a system does not inter- 
fere with the low part if whatever is done at the high level produces no visible 
effect on the low part of the system. The original notion of non-interference in [9] 
was defined, using trace semantics, for system programs that are deterministic. 
Generalized notions of non-interference were then designed to include (nondeter- 
ministic) labeled transition systems and finer notions of observational semantics 
such as bisimulation (see, e.g., [13, 7, 12, 14, 8]). Relevant properties in this class 
are the trace-based properties SNNI and NDC , as well as the bisimulation-based 
properties BSNNI, BNDC and SBNDC proposed by Focardi and Gorrieri some 
years ago [7, 8] on a CCS-like process algebra. In particular, SNNI states that a 
system R is secure if the two systems R\H (all the high level actions are pre- 
vented) and R/H (all the high level actions are permitted but are unobservable) 
are trace equivalent. BNDC intuitively states that a system R is secure if it is 
bisimilar to R in parallel with any high level process II w.r.t. the low actions 
the two systems can perform. And SBNDC tells that a system R is secure if, 
whenever a high action h is performed, the two instances of the system before 
and after performing h are bisimilar from a low level point of view. 

In the first part of the paper we show that these non-interference properties 
can be naturally defined also on Petri Nets; in particular - to keep the presen- 
tation as simple as possible - we use Elementary Nets [6] . The advantage of this 

J. Cortadella and W. Reisig (Eds.): ICATPN 2004, LNCS 3099, pp. 1-16, 2004. 
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proposal is the import in the Petri Net theory of security notions that makes 
possible the study of security problems. Technically, what we do is to introduce 
two operations on nets, namely parallel composition (with synchronization in 
TCSP-like style) and restriction, and suitable notions of observational equiva- 
lences on the low part of the system (low trace equivalence and low bisimulation); 
then, five security properties are defined and compared in a rather direct way. 
In particular, the two properties based on low trace semantics, namely SNNI 
and NDC, are equivalent. On the contrary, in the bisimulation case, BSNNI is 
weaker than BNDC, which turns out to be equivalent to SB NDC. 

In this approach, the security property is based on the dynamics of systems; 
they are all defined by means of one (or more) equivalence check(s); hence, non- 
interference checking is as difficult as equivalence checking, a well-studied hard 
problem in concurrency theory. 

In the second part of the paper we address the problem of defining statically 
non-interference for Elementary nets, by looking at the structure of the net 
systems under investigation: 

— in order to better understand the causality and conflict among different 
system activites, hence grounding more firmly the intuition about what is 
an interference, and 

— in order to find more efficiently checkable non-interference properties that 
are sufficient conditions for those that have already received some support 
in the literature. 

We define structural non-interference properties based on the absence of par- 
ticular places in the net. We identify two special classes of places: causal places, 
i.e., places for which there are an incoming high transition and an outgoing low 
transition; and, conflict places, i.e. places for which there are both low and high 
outgoing transitions. Intuitively, causal places represent potential source of in- 
terference ( hilo flow for high input - low output), because the occurrence of the 
high transition is a prerequisite for the execution of the low transition. Similarly, 
conflict places represent potential source of interference ( holo flow for high out- 
put - low output ), because the occurrence of a low event tells us that a certain 
high transition will not occur. 

We show that when causal and conflict places are absent, we get a property, 
called Positive Place-Based Non-Interference ( PBNI+ for short), which turns 
out to be equivalent to SBNDC. More precisely, the net N has no causal and no 
conflict places if and only if it satisfies SBNDC. 

In the third part of the paper we extend the definition of PBNI+ to cope 
with the richer class of Trace nets[l]. We provide an example showing how our 
property can be used to capture the information flows arising in a shared variable 
that can be accessed and modified by both high and low users. 

The paper is organised as follows. In Section 2 we recall the basic definitions 
about transition systems and Elementary Nets. In Section 3 we recast the be- 
havioural approach to non-interference properties, originally defined in a process 
algebraic setting, on Elementary Nets. The original structural property PBNI+ 
for Elementary Nets is introduced in Section 4. In Section 5, after recalling the 
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basic definitions about Trace Nets, we extend the definition of PBNI+ to Trace 
Nets. Finally, some conclusive remarks are drawn. 



2 Basic Definitions 

Here we recall the basic definition about transition systems and elementary net 
systems we will use in the following. 

2.1 Transition Systems 

Definition 1. A transition system is a triple TS = (St,E,—>) where 

— St is the set of states 

— E is the set of events 

— — >C St x E x St is the transition relation. 

In the following we use s —>■ s' to denote (s, e, s') £— >. 

Given a transition s s' , s is called the source, s' the target and e the label 
of the transition. 

A rooted transition system is a pair (TS,Sq) where TS = (St,E,—>) is a 
transition system and sq £ St is the initial state. 

2.2 Elementary Net Systems 

Definition 2. An elementary net is a tuple N = ( S,T,F ), where 

— S and T are the (finite) sets of places and transitions, such that S IT T = 0 

— F C (S' x T) U (T x S) is the flow relation 

A set over the set S of places is called a marking. Given a marking m and 
a place s, if s £ m then we say that the place s contains a token, otherwise we 
say that s is empty. 

Let x £ S U T. The preset of x is the set *x = {y \ F(y,x)}. The postset of 
x is the set x* = {y \ F(x,y)}. The preset and postset functions are generalized 
in the obvious way to set of elements: if A C S L) T then *X = Uigx * x 
and X * = U^eA’ 2 '*- A transition t is enabled at marking m if *t C m and 
t* IT m = 0. The firing (execution) of a transition t enabled at m produces the 
marking m! = ( m\*t ) Lit* . This is usually written as m[t)m'. With the notation 
m[t) we mean that there exists m' such that m\t)m' . 

An elementary net system is a pair (iV, mo), where A is a net and mo is a 
marking of N, called initial marking. With abuse of notation, we use ( S , T, F, mo) 
to denote the net system ((S,T, F),m 0 ). 

The set of markings reachable from m, denoted by [m), is defined as the least 
set of markings such that 

— m £ [m) 

— if m! £ \m) and there exists a transition t such that m'[t)m" then m" £ \m). 
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The set of firing sequences is defined inductively as follows: 

— to o is a firing sequence; 

— if TOo[ti)mi . . . [t n )m n is a firing sequence and m n [t n +i)m n +i then 
m.o[fi)TOi . . . [t n )m n [t n +i)m n +i is a firing sequence. 

Given a firing sequence mo[fi)mi . . . [t n )m ni we call t\...t n a transition se- 
quence. The set of transition sequences of a net N is denoted by TS(N). We use 
a to range over TS(N). Let a = we use m[a)m n as an abbreviation for 

m[t\)m\ . . . [ t n )m n . 

The marking graph of a net N is 

MG(N) = ([ too),T , { (to, t, m') \ m £ [mo) A t € T A m[t)m'}) 

A net is simple if the following condition holds for all x, y € S U T: if *x = *y 
and x* = y* then x = y. 

A marking to contains a contact if there exists a transition t £ T such that 
*t C to and not(m[t)). A net system is contact-free if no marking in [m 0 ) contains 
a contact. A net system is reduced if each transition can occur at least one time: 
for al \t £T there exists to. £ [too) such that m[t). 

In the following we consider contact-free net systems that are simple and 
reduced. 

3 A Behavioural Approach to Non-interference 
for Elementary Nets 

In this section we recall from [5] some basic properties, initially proposed in a 
process algebraic setting by Focardi and Gorrieri [7, 8] . Our aim is to analyse 
systems that can perform two kinds of actions: high level actions, representing 
the interaction of the system with high level users, and low level actions, repre- 
senting the interaction with low level users. We want to verify if the interplay 
between the high user and the high part of the system can affect the view of 
the system as observed by a low user. We assume that the low user knows the 
structure of the system, and we check if, in spite of this, he is not able to infer 
the behavior of the high user by observing the low view of the execution of the 
system. 

Hence, we consider nets whose set of transitions is partitioned into two sub- 
sets: the set H of high level transitions and the set L of low level transitions. 
To emphasize this partition we use the following notation. Let L and H be two 
disjoint sets: with (S, L, H , F, mo) we denote the net system (S, LL) H,F, mo). 

The non-interference properties we are going to introduce are based on some 
notion of low observability of a system, i.e., what can be observed of a system 
from the point of view of low users. The low view of a transition sequence is 
nothing but the subsequence where high level transitions are discarded. 

Definition 3. Let N = (S', L , H , F, mo) be a net system. The low view of a 
transition sequence of N is defined as follows: 
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^jv(e) = £ 

A (rri\ - I "M 0 ")* i f t € L 

w ^Ajv(ct) otherwise 

The definition of Am is extended in the obvious way to sets of transitions 
sequences: Am(E) = {Ajv(ct) \ a € E} for E C (LUH)*. 

Definition 4. Let N\ and N 2 be two net systems. We say that Ni is low-view 
trace equivalent to N 2 , denoted by N\ ~tr N 2 , iff Am 1 (TS(Ni)) = Am 2 (TS(N 2 )). 

We define the operations of parallel composition (in TCSP-like style) and 
restriction on nets, that will be useful for defining some non-interference prop- 
erties. 

Definition 5. Let N\ = (Si, L\, H\, F\, mo,i) and N 2 = (S 2 , L 2 , H 2 , F 2 , mo, 2 ) 
be two net systems such that S\ IT S 2 = 0 and (L\ U L 2 ) n (H 1 U H 2 ) = 0. The 
parallel composition of N\ and N 2 is the net system 

JVi | N 2 = (5i U S 2 , L\ U L 2 , Hi U H 2 , F\ U F 2 , U m. 0 , 2 ) 

Definition 6. Let N = (S, L, H, F, mo) be a safe net system and let U be a 
set of transitions. The restriction on U is defined as N\U = (S,L' ,H' ,F' 
where 

L' = L\U 

H' = H\U 

F' = F\(S xUUU x S) 

Strong Nondeterministic Non-Interference ( SNNI for short) is a trace-based 
property, that intuitively says that a system is secure if what the low-level part 
can see does not depend on what the high-level part can do. 

Definition 7. Let N = (S, L, H , F, mo) be a net system. We say that N is SNNI 
iffN& tr N\H. 

The intuition is that, from the low point of view, the system where the high 
level transitions are prevented should offer the same traces as the system where 
the high level transitions can be freely performed. In essence, a low-level user 
cannot infer, by observing the low view of the system, that some high-level 
activity has occurred. 

As a matter of fact, this non-interference property captures the information 
flows from high to low, while admits flows from low to high. For instance, the 
net N' of Figure 1 is SNNI while the net N" is not SNNI. 

An alternative notion of non-interference, called Nondeducibility on Compo- 
sition ( NDC for short), says that the low view of a system N in isolation is not 
to be altered when considering each potential interaction of N with the high 
users of the external environment. 

Definition 8. Let N = (S,L,H,F,mff) be a net system. We say that N is a 
high-level net if L = 0. 
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N' N" 

Fig. 1 . The net system N' is SNNI while N" is not SNNI. 



Definition 9. Let N = (S, L, H, F,mo) be a net system. N is NDC iff for all 
high-level nets I\ = (SK,^,HKiFK,'mo,K)-' N\H ~tr (N \ K)\(H \ Hk). 

The left-hand term represents the low view of the system N in isolation, 
while the right-hand term expresses the low view of N interacting with the 
high environment K (note that the activities resulting from such interactions 
are invisible by the definition of low view equivalence). NDC is a very intutive 
property: whatever high level system K is interacting with N, the low effect 
is unobservable. However, it is difficult to check this property because of the 
universal quantification over high systems. Luckily enough, we will then prove 
that SNNI and NDC are actually the same non-interference property. 

Theorem 1 . Let N = (S, L, H, F,mo) be a net system. N is SNNI if and only 
if N is NDC. 

The two properties above are based on (low) trace semantics, ft is well-known 
[8] that bisimulation semantics is more appropriate than trace semantics because 
it captures also some indirect information flows due to, e.g., deadlocks. For this 
reason, we now consider non-interference properties based on bisimulation. To 
this aim, we first need to introduce a notion of low- view bisimulation. 

Definition 10. Let Ni = (Si, L\, H\, F\, mo,i) and N 2 = (S 2 , L2, H2, F 2 , mo, 2) 
be two net systems. A low-view bisimulation from N\ to N 2 is a relation on 
A 4 (S\) x M(S 2 ) such that if (mi, m2) £ R then for all t G (Ji=i 2 Li C Hi: 

— if m\\t)m'i then there exist a,m ' 2 such that m2[cr)m2, Awfft) = An 2 (u) and 
(m^, miff £ R 

— ifm 2 [t)m ' 2 then there exist a,m[ such that mi[(j)m'i, Afj 2 (t ) = A^ffcr) and 

£ R 

If Ni = N 2 we say that R is a low-view bisimulation on Ni . 

We say that Ni is low-view bisimilar to N 2 , denoted by Ni ~bis if there 
exists a low-view bisimulation R from iV) to N 2 such that ( TOo,i,mo,2 ) £ R- 
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The first obvious variation on the theme is to define the bisimulation based 
version of SNNI, yielding BSNNI. 

Definition 11. Let N = (S, L, H, F, Too) be a net system. We say that N is 
BSNNI iff N « bis N\H. 

Obviously, BSNNI C SNNI. The converse is not true: the net N in Figure 2 is 
SNNI but not BSNNI. Note that SNNI misses to capture the indirect information 
flow present in this net: if the low transition l cannot be performed, the low user 
can infer that the high transition h has been performed, hence deducing one 
piece of high knowledge. 




Fig. 2. A net system that is SNNI but not BSNNI. 



Similarly, BN DC can be defined from NDC , yielding a rather appealing se- 
curity property, which is finer than BSNNI. 

Definition 12. Let N = (S, L, H, F,mo) be a net system. N is BNDC iff for 

all high-level nets K = (Sk, 0 , Hr, Fr, itio,k): N\H ~bis (N \ K)\(H\Hk). 

Theorem 2. Let N = (S, L, H, F,mo) be a net system. If N is BNDC then N 
is BSNNI. 

Unfortunately, the converse is not true: Figure 3 reports a net that is BSNNI 
but not BNDC ; the reason why can be easily grasped by looking at their respec- 
tive marking graphs in Figure 4. 

BNDC is quite appealing but, because of the universal quantification on all 
possible high level systems, it is difficult to check. The next property, called 
Strong Bisimulation Non Deducibility on Composition ( SBNDC for short), is 
actually an alternative characterization of BNDC which is easily checkable. 

Definition 13. Let N = (S', L, H, F, mo) be a net system. N is SBNDC iff for 
all markings m £ [mo) and for all h £ H the following holds: 

if m[h)m' then there exists a low-view bisimulation R on N\H such that 
(to, to') £ R. 

Theorem 3. Let N = (S, L, FT, F, Too) be a net system. N is BNDC if and only 
if N is SBNDC. 

The theorem above holds because we are in an unlabeled setting: transitions 
are not labeled. In [7, 8] it is proved that - for the Security Process Algebra - 
SBNDC is strictly finer than BNDC. 



Nadia Busi and Roberto Gorrieri 




MG(JV) 



MG(N\H ) 



MG((JV|K)\{h 2 }) 



Fig. 4. The marking graphs of the net systems N, N\H and (N \ K)\{h, 2 }. 



4 Positive Place-Based Non-interference 
in Elementary Nets 

In [4, 5] we defined two notions of non-interference, namely, PBNI and RBN1 , 
aiming at capturing any kind of information flow from high users to low users. 
Those notions capture both positive and negative informations on the high be- 
haviour of the system. More precisely, a positive information flow arises when 
the occurrence of a high level transition can be deduced from the low level be- 
haviour of the system, whereas a negative information is concerned with the fact 
that a high level transition has not occurred. 

In this paper we provide a characterisation of positive information flows, i.e. , 
we consider a system secure if it is not possible to deduce that some high level 
action has been performed by observing the low level behaviour. 

To this aim, we define the PBNI+ property based on the absence of some 
kinds of places in a net system. Consider a net system N = (S, L, H, F, mo). 

Consider a low level transition l of the net: if l can fire, then we know that 
the places in the preset of l are marked before the firing of l ; moreover, we know 
that such places become unmarked after the firing of l. If there exists a high level 
action h that produces a token in a place s in the preset of l (see the system 
Ni in Figure 5), then the low level user can infer that h has occurred if he can 
perform the low level action l. We note that there exists a causal dependency 
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Ni N 2 N 3 

Fig. 5. Examples of net systems containing conflict and (potentially) causal places. 



between the transitions h and l, because the firing of h produces a token that 
is consumed by l. Consider now the situation illustrated in the system N 2 of 
Figure 5: in this case, place s is in the preset of both l and h, i.e. , l and h. are 
competing for the use of the resource represented by the token in s. Aware of the 
existence of such a place, a low user knows that the high-level action h has been 
performed, if he is not able to perform the low-level action l. Place s represents 
a conflict between transitions l and h, because the firing of h prevents l from 
firing. 

Our idea is to consider a net system secure if it does not contain places of 
the kinds illustrated above. 

In order to avoid the definition of a security notion that is too strong, and 
that prevents systems that do not reveal information on the high-level actions 
that have been performed, we need to refine the concepts illustrated above. 
Consider the net system IV3 reported in Figure 5. Although s is a potentially 
causal place, the net system has to be considered secure, as the (unique) possible 
firing of l is at the initial marking, hence it is not caused by h. For s to be a 
source of information on the occurrence of h : there must exists a firing sequence 
where l consumes a token produced by h. In other words, s is an active causal 
place if there exists a path in MG{N 3 ) connecting (an occurrence of) h to (an 
occurrence of) l , such that the transitions occurring after h and before l do not 
produce tokens in s. 

Regarding conflicts, consider the net system N 4 reported in Figure 6. At 
first sight, the net IV4 could appear not secure because of the presence of the 
conflict place s. However, we note that the occurrence of h has no effect on the 
low behaviour of the system, as the possibility to fire l has already been ruled 
out by the firing of transition V . Hence, for s to be a source of information on 
the occurrence of h, there must exist a reachable marking where the firing of h 
rules out the possibility to fire (immediately or after some other transitions) l. 
In other words, s is an active conflict place if there exists a path in MG^) 
connecting the source of (an occurrence of) h to (an occurrence of) l, such that 
the transitions occurring in the path do not produce tokens in s. 
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N 4 

Fig. 6. A net system containing a potentially conflict place but no active conflict places. 



Definition 14. Let N = ( S , L, H , F, Too) be an elementary net system. Let s be 
a place of N such that s* fl L yf 0. 

The place s £ S is a potentially causal place if*sCH yf 0. 

A potentially causal place s is an active causal place if the following condition 
holds: there exist l £ s* fl L, h £ *s fl H, m £ [mo) and a transition sequence a 
such that m[hal) and s t* for all t £ a. 

The place s £ S is a potentially conflict place if s* D H yf 0. 

A potentially conflict place is a active conflict place if the following condition 
holds: there exist l £ s* fl L, h £ s* fl H, m £ [mo) and a transition sequence a 
such that m[h) , m[al) and s fLt* for all t £ a. 

Definition 15. Let N = (S, L, H, F,mo) be an elementary net system. We say 
that N is PBNI+ (positive Place Based Non-Interference,) if. for all s £ S, s is 
neither an active causal place nor an active conflict place. 

We have that the absence of both causal and conflict places is a necessary 
and sufficient condition for SBNDC. 

Theorem 4. Let N = (S.L,H,F,mo) be an elementary net system. If N is 
PBNI+ then N is SBNDC. 

Theorem 5. Let N = (S, L 1 H, F, mo) be an elementary net system. If N is 
SBNDC then N is PBNI+. 

Corollary 1. Let N = (S,L,H,F,mo) be an elementary net system. Then N 
is PBNI+ iff N is BNDC. 

5 Non-interference in Trace Nets 

In this section we extend the definition of PBNI+ to cope with the richer class 
of Trace nets [1] and we show that the results presented in the previous section 
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for elementary nets continue to hold also in this setting. Finally, we provide an 
example to show how our property can be used to capture the information flows 
arising in a shared variable that can be accessed and modified by both high and 
low users. 



5.1 Trace Nets 

Trace nets [1] are an extension of elementary nets: besides the classical flow 
arcs, also arcs permitting to test for presence/ absence of tokens in a place, as 
well as arcs permitting to fill/empty a place regardless of its previous contents, 
are added. 

Definition 16. A trace net is a tuple N = ( S,T,W ), where 

— S and T are the (finite) sets of places and transitions, such that S 0 T = 0 

— W : (SxT) — > {in, out, nop, read, inhib, set, reset} is the flow function, such 
that Vi £ TBs € S : W(s,t) ^ nop. 

The arcs of kind in and out correspond to the flow arcs of elementary nets: 
more precisely, a flow arc from a place s to a transition t is represented in trace 
nets by setting W(s,t) = in, whereas a flow arc from t to s is represented by 
setting W (s, t) = out. The arcs of kind read and inhib permit to test a condition 
on a place, without altering its contents. A read (resp. inhibitor) arc from s to t 
requires that s contains a token (resp. no tokens) for t to fire. The arcs of kind set 
and reset permit to set the contents of the place to a given value, independently 
of the previous contents of the place. A set (resp. reset) arc from s to t sets the 
number of tokens in place s to 1 (resp. 0) when t fires. Finally, an arc of kind 
nop denotes the absence of any kind of relation among the contents of s and the 
firing of t. 

We adopt the graphical convention proposed in [2], and depicted in Figure 7 
to draw trace nets: input (resp. output) arcs are represented as directed segments 
with an arrow on the transition (resp. place) side; read (resp. inhibitor) arcs are 
represented as segments with a small black (resp. white) circle on the transition 
side; set (resp. reset) arcs are represented as segment with a small black (resp. 
white) circle on the place side. 




in out read inhib set reset nop 



Fig. 7. Graphic conventions for drawing trace nets. 



To lighten the definitions of enabling of a transition and of the firing rule, we 
introduce the following auxiliary relations. Intuitively, t test 1 s (resp. t testO s) 
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holds if it is necessary that s contains one (resp. zero) tokens for t to fire. On 
the other hand, t setl s (resp. t setO s) holds if, after the firing of t, s contains 
one (resp. zero) tokens. 

Givens £ S and t £ T, we define the following relations: 
t testl s iff W(s,t) £ {in, read} 
t testO s iff W(s,t) £ {out, inhib} 
t setl s iff W(s,t) £ {out, set} 
t setO s iff W{s,t) £ {in, reset} 

A transition t is enabled at marking m if {s | t testl s} C m and {s | 
t testO s} fl m = 0. 

The firing (execution) of a transition t enabled at m produces the marking 
m! = {s £ S | t set 1 s} U {s £ to | W(s,t) = nop}. This is usually written as 
m[t)m'. 

A trace net system is a pair ( N , to-o), where N is a trace net and Too is a mark- 
ing of N, called initial marking. With abuse of notation, we use ( S , T, W, Too) to 
denote the trace net system ((S,T,W),mo). 

The definitions of reachable markings, firing sequences, marking graph and 
reduced system given in Section 2 for elementary nets apply also for trace nets. 

In the following we consider trace net systems that are reduced. 



5.2 Positive Place Based Non-interference for Trace Nets 

As already done for elementary nets, we consider trace nets whose set of transi- 
tions is partitioned into two subsets: the set H of high level transitions and the 
set L of low level transitions. Also for trace nets, given two disjoint sets L and 
H , with (S, L, H, W, too) we denote the trace net system (5, III H,W, mo). 

We extend the definitions of causal an conflict places for Elementary nets of 
Section 4 to Trace nets. 

An extension of the definition of potentially causal place for contact free 
elementary nets to trace nets leads to the following: a place s is a potentially 
causal place if there exist a high transition h that puts a token in s (either 
through an output or a set arc) and a low transition l that needs place s to be 
full to fire (because s and l are connected by a read or an input arc). However, 
as contact freeness no longer holds for trace nets, we have to take into account 
also causal dependencies arising from the fact that a high transition h removes 
a token contained in a place s (either through an input or a reset arc) that is 
required to be empty for a low transition l to fire (because s and l are connected 
by an output or an inhibitor arc). 

Also for potentially conflict places, two kinds of conflicts can arise. Similarly 
to elementary nets, s is a potentially conflict place if there exists a high transition 
h that removes a token from s and a low transition l that needs place s to be 
full to fire. Morevoer, s has to be considered a potentially conflict place also if 
there exists a high transition h that produces a token in S and a low transition 
l that needs place s empty to fire. 

Definition 17. Let N = (. S,L,H,W,mo ) be a trace net system. 
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The place s £ S is a potentially causal place if there exist h £ H , l £ L and 
X £ {0, 1} such that h setX s and l testX s. 

A potentially causal place s is an active causal place if the following condition 
holds: there exist h £ H , l £ L and X £ {0, 1} such that: 

— h setX s 

— I testX s 

— there exists a marking m £ [mo) and a transition sequence a such that 

• m[hal) 

• s £ to iff X = 0 

• for all t € cr: ->(t set 1 s) and ->(t setO s) 

The place s £ S is a potentially conflict place if there exist h £ H, l £ L and 
X £ {0, 1} such that h setX s and l test(l — X) s. 

A potentially conflict place is a active conflict place if the following condition 
holds: there exist h £ H , l £ L and X £ {0, 1} such that: 

— h setX s 

— I test( 1 — X) s 

— there exists a marking m £ [too) and a transition sequence <j such that 

• m[h) and m[al) 

• S £ TO iff X = 0 

• for all t £ a: ->(t setl s) and -i(f setO s) 

Definition 18. Let N = (S,L,H,F,mo) be a trace net system. We say that N 
is PBNI+ ("positive Place Based Non-Interference,) if. for all s £ S, s is neither 
an active causal place nor an active conflict place. 

The definitions of parallel composition and restriction presented in Section 3 
are extended to trace nets in the obvious way: 

Definition 19. Let Ni = (>Si, L\, H\, TPi, TOo,i) and N 2 = (S 2 , T 2 , 772? IP 2 ? too, 2 ) 
be two trace net systems such that Si ft S 2 = 0 and (Li U L 2 ) D (Hi U H 2 ) = 0. 
The parallel composition of Ni and N 2 is the trace net system 
Ni | N 2 — (Si U 5*2 , Li U L 21 Hi U H 2 , Wi U W 2 , too,i © mo, 2 ) 

Definition 20. Let N = (S, L , H , W, Too) be a trace net system and let U be a 
set of transitions. The restriction on U is defined as N\U = (S, L ' , H' ,W' , mo), 
where 

L' = L\U 
H' = H\U 
W' = W\(SxU) 

The results presented in Section 3 continue to hold also for trace nets: 

Theorem 6. Let N = (S, L, if, IT, Too) be a trace net system. N is BNDC if 
and only if N is SBNDC. 

Theorem 7. Let N = (S, L , H , W, too) be a trace net system. N is PBNI+ if 
and only if N is SBNDC. 




14 



Nadia Busi and Roberto Gorrieri 



5.3 Example: Binary Memory Cell 

In this section we recast the example of a binary memory cell proposed in [3] in 
our framework. 

A binary memory cell can contain a binary value, i.e. , either 0 or 1. The 
memory cell is accessible to both high and low users, that can read and write 
a value in the cell. The trace net representing the binary cell is reported in 
Figure 8. 



who 




Fig. 8. The trace net modeling a binary memory cell. 



A token in place cq (resp. Ci) represents the fact that the current value con- 
tained in the cell is 0 (resp. 1). Each operation is modeled by two transitions, 
one for each binary value that can be contained in the cell. For example, tran- 
sition who (resp. wh\) is performed by a high level user that writes the value 0 
(resp. 1) in the cell. A write operation of e.g. value 0 in the cell is represented 
by a transition that sets the contents of place Co (i.e., puts one token in place 
Co regardless of its previous contents), and resets the contents of place C\ (i.e., 
removes the possible token present in place ci). A read operation of e.g. value 0 
is represented by a transition with a read arc on place Co, i.e., a transition that 
can happen only if place Co contains a tokens. 

As already pointed out in [3], the binary memory cell depicted in Figure 8 
is completely insecure, as a high level user can send confidential information to 
a low level user through the binary cell. In fact, the binary cell is not PBNI+ 
because of the existence of (at least) the active causal place c\. Note that c\ is a 
potentially causal place, because the high transition wh\ has a set arc on C\, and 
the low transition rl\ has a read arc on ci. Moreover, if we consider the firing 
sequence {co}[uAi){ci}[rZi){ci} also the conditions for the potentially causal 
place ci to be an active causal place are fulfilled. 

In order to avoid the flow of information from the high user to the low user, 
we can either forbid all the read operations performed by a low user or forbid 
all the write operations performed by a high user, thus obtaining the trace nets 
depicted in Figures 9 and 10. 
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who 




Fig. 9. The trace net obtained by removing the low level read operations. 




Fig. 10. The trace net obtained by removing the high level write operationsl. 

The trace nets obtained in this way do not contain any (potential) causal or 
conflict place. 

6 Conclusion 

A structural non-interference property PBNI+ is proposed to firm more strongly 
the intuition about the nature of interferences and to obtain more efficiently 
checkable property. We start defining PBNI+ for the simpler class of contact 
free elementary net systems, then the definition is extended to the richer class 
of trace net systems. We showed that PBNI+ turns out to be equivalent to the 
behavioural property SBNDC , initially proposed in a process algebraic setting 
[7,8]. 

The property PBNI+ is structural because no notion of observational equiv- 
alence is considered in its definition; however, to be precise, the definition of 
PBNI+ requires a limited exploration of the state space (marking graph), hence 
it is in some sense a behavioural property. 

The main difference of PBNI+ w.r.t. the non-interference properties PBNI 
and RBNI , introduced in [4,5], is that PBNI+ captures only flows of positive 
information from high users to low users, whereas RBNI (and in some cases also 
PBNI) capture both positive and negative flows. Consider for example the net 
system N& in Figure 6: the net N 4 does not satisfy PBNI and RBNI , because of 
the presence of the conflict place s. Indeed, there exists a negative information 
flow from high users to low users: if the low action l is performed, the low 
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user knows that the high action h has not been performed (and will never be 
performed) . On the other hand, N 4 is PBNI+, because s is not an active conflict 
place. Indeed, no positive information can flow from high users to low users. 

The current investigation was conducted for two classes of “safe” net systems, 

i.e., for nets whose places can contain at most one token. A natural extension 
of this approach is to consider Place/Transition systems, where each place can 
contain more than one token. 
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Abstract. Generating the reachability set is one of the most commonly 
required step when analyzing the logical or stochastic behavior of a sys- 
tem modeled with Petri nets. Traditional “explicit” algorithms that ex- 
plore the reachability graph of a Petri net require memory and time at 
least proportional to the number of reachable markings, thus they are 
applicable only to fairly small systems in practice. Symbolic “implicit” 
algorithms, typically implemented using binary decision diagrams, have 
been successfully employed in much larger systems, but much of the 
work to date is based on breadth-first search techniques best suited for 
synchronous hardware verification. Here, instead, we describe recently- 
introduced data structures and algorithms particularly targeted to Petri 
nets and similar asynchronous models, and show why they are enor- 
mously more efficient for this application. We conclude with some direc- 
tions for future research. 



1 Introduction 

Petri nets [29,32] are an excellent formalism to model a large class of discrete- 
state systems that exhibit a large amount of asynchronous behavior, yet have 
the capability to occasionally synchronize some of their activities. Such systems, 
often called globally- asynchronous locally- synchronous, arise in flexible manufac- 
turing, communication protocols, asynchronous circuit design, embedded flight 
controllers, and, of course, distributed software, to name a few examples. 

Once a system has been modeled with a Petri net, its logical behavior can 
be studied with a variety of techniques, such as invariant analysis , reachability 
graph generation , and simulation or token game. 

Invariant analysis [18,29] is always applicable to ordinary Petri nets and is 
often quite efficient, since it directly operates on the incidence matrix of the net, 
but it has limitations. For example, it can prove that a particular marking is not 
reachable from the initial marking, but it can never prove that it is reachable. 
One of its most useful applications is perhaps the investigation of boundedness 

* Work supported in part by the National Aeronautics and Space Administration 
under grant and NAG-1-02095 and by the National Science Foundation under grants 
CCR-0219745 and ACI-0203971. 
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properties: a place is bounded if it is covered by a place-invariant. However, if a 
Petri net has inhibitor arcs, invariant analysis does not take them into account, 
so that a place might still be bounded even if it is not covered by any place- 
invariant. With self- modifying nets [38], the situation is even worse, since only 
limited place-invariant algorithms have been proposed for this class [7]. 

At the opposite extreme, the token game can be played on any discrete-state 
Petri net, regardless of the extensions one might use, but it is akin to testing. 
Simulation is an essentially incomplete type of analysis that, while helpful in 
understanding the system under study, is quite time-consuming and cannot be 
relied upon when attempting to discover all undesirable behaviors. 

Only reachability analysis can provide complete answers, since it does gen- 
erate all the possible markings and behaviors of the net. Of course, even this 
statement needs to be tempered by practical considerations. For ordinary Petri 
nets, we might not be able to store the entire reachability graph of the net, thus 
we might fail to provide an answer. For Turing-equivalent extensions of Petri 
nets, even just being able to tell whether a net is bounded, thus whether it 
makes sense to attempt its reachability set exploration, is an undecidable prob- 
lem since the halting problem can be reduced to it [1,23]. In practice, we are 
limited to hoping that the reachability set is not only bounded, but small enough 
to fit in the memory of our computer. Such a brute- force approach makes nev- 
ertheless sense, and many research efforts have been directed at finding efficient 
algorithms and data structures to generate and store the reachability set. While 
these works cannot change the theoretical nature of the limitations, they can 
change the practical impact of the approach, by making it applicable to larger 
and more realistic systems. 

In this paper, we present our approach to scale-up the applicability of reacha- 
bility set generation through the use of decision diagram and Kronecker operator 
techniques. This approach reflects work spanning several years, starting from our 
ICATPN 1999 [28] and 2000 [9] papers, up to the saturation algorithm [10, 11] 
and its applications to verification [14, 15]. The “smart” in the title is a reference 
to our software tool SMART [8], which implements all the algorithms and data 
structures we discuss, and was used to obtain the results we present. The rest 
of paper proceeds as follows. Section 2 contains background material on explicit 
and symbolic reachability set generation. Section 3 discusses our data structures 
targeted to Petri nets and the saturation algorithm. Finally, Section 4 outlines 
some of our ongoing research to further improve the efficiency and applicability 
of this approach. 

2 Traditional Breadth-First Reachability Set Generation 

This section describes our extended class of Petri nets, defines their reachability 
set, and summarizes traditional explicit and BDD-based breadth- first algorithms 
for the generation of their reachability set. In contrast to the algorithms and data 
structures described in Section 3, though, these algorithms are not particularly 
targeted to Petri nets, in the sense that they do not exploit the structural prop- 
erties of the net. 



